I’ve often said that security, in this case information/cyber security, is part technical acumen and part psychology. Sure, there are other concepts that get sprinkled in such as budgeting, presentation skills etc, but broadly speaking I believe technical knowledge, whether hands-on or conceptual, and the psychology of risk and security cover it. Along these lines, I have often found myself asking organizatons how they view security. Is security considered a necessary evil and just another cost center? Is it considered the “Department of No”? On the flip side, is security viewed as an asset, value-add, and revenue defender? The answers I get are very telling and often change depending on which level in a company’s heirarchy is answering the question. However, there is one catch phrase that stands out that immediately signals, at best, an exaggeration, and at worst outright dishonesty:

“Security is top of mind for everyone here”

To be blunt, no it’s not, and to think so borders on willful ignorance. Futhermore, security should NOT be top of mind for everyone at a company.

I tend to use bad analogies, so here’s one: When I’m driving somewhere, my goal is to get to my next destination, usually in a timely manner. By definition, that is top of mind. The way in which I get to my destination and how I get to my destination exists in support of the top of mind goal. If I don’t leave early enough or don’t take an efficient route, I may not get to my destination on time. If I don’t drive safely I may get pulled over, or worse, cause an accident which may lead to damage of my vehicle and injury to myself and others.

To think that each and every employee, consultant, and intern has security top of mind just isn’t realistic. Accounting departments want to ensure accurate record keeping of a company’s finances. Human resources is maintaining employee records, onboarding, offboarding, and managing benefits. Sales people are, well, selling. Everyone’s “top of mind” task is to accomplish their job duties in a satisfactory way. To be successful, they need perform their duties efficiently and securely.

This leads to the inevitable conclusion that it is up to a security department/team/person to enable a workforce to perform their duties securely. Security, at it’s core, is a support and enablement function. Security should be the only function where security is top of mind. It is up to us security professionals to support the workforce and enable them to work securely. We are the ones who design and install a company’s crash avoidance, airbags, lane departure warnings, and other safety features so that the vehicle we’re all on is able to continue on to it’s destination. It’s hard no doubt. Yet if we’re going to do this thing called security let’s at least understand what our role is, and ensure that those in positions of corporate leadership also understand how we fit into the bigger picture. In the meantime, let’s please try to keep the lip service to a minimum.